Thread Info
Options
Suggested

Is there a way for a RMM to monitor for Sophos Endpoint restarts?

Chris Conlan

I'm wondering if there is an Event Log or some file that can be monitored via a RMM product for endpoint restarts?  I'm not sure if anyone has been able to accomplish this.

Right now, unless I look at the Events in Sophos Central I don't know if a machine needs a restart.  I don't think the Sophos Endpoint restart notification creates the flag that most RMM's monitor for a restart.

Thanks.



Edit Tags
[edited by: GlennSen at 10:05 AM (GMT -8) on 3 Mar 2025]
  • +1

    Hello, A few things of note for when Sophos requires an update.

    SophosInterceptXCLI.exe

    "C:\Program Files\Sophos\Endpoint Defense\SophosInterceptXCLI.exe" query softwaremonitor updating --json | ConvertFrom-Json | ConvertTo-Json
    {
    "updating_details": {
    "download_state": "good",
    "install_state": "good",
    "reboot_required": "no",
    "updating_assessment": "good",
    "VersionInfo": [
    "@{DisplayVersion=2025.1.0.536.0; Version=2025.1.0.536.0; name=Core Agent}",
    "@{DisplayVersion=2025.1.0.28.0 SPRINT 2024.51; Version=2025.1.0.28.0; name=Device Encryption}",
    "@{DisplayVersion=2023.2.0.3; Version=2023.2.0.3; name=Managed Detection and Response}",
    "@{DisplayVersion=2024.1.2.1.0; Version=2024.1.2.1.0; name=Sophos Intercept X}"
    ]
    }
    }

    I believe this tool is the supported way to get to the "latest" data under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SoftwareMonitor\Store\SoftwareMonitor
    e.g.:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SoftwareMonitor\Store\SoftwareMonitor\20250213174410301433\ssm_updating

    Otherwise
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\VolatileFlags
    UrgentRebootRequired
    RebootRequired
    RebootRequiredSince
    Could be used

    VolatileFlags is a volatile reg key in that it is automatically removed on a reboot. This ensures it's always gone as it only exists in memory:

    new-item HKLM:\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\VolatileFlags -Name test
    new-item : Cannot create a stable subkey under a volatile parent key.

    • 0 in reply to Sophos User930

      Looking at the second key you mentioned, if I just monitor the Reboot Required or UrgentRebootRequired that should be sufficient.  Basically if one of them is set at 1 a reboot is needed.

      • 0 in reply to Chris Conlan

        If it's easier, you could prob just check for the key VolatileFlags if it exists, a reboot is required.

        • 0 in reply to Sophos User930

          I was able to create a script that looks at the UrgentRebootRequired and RebootRequired.  If either one shows a 1 it then outputs a Result Code of 1.  I'll have to work with NinjaOne as to why it's not triggering the automation.  Thanks for the help on this.

      • 0

        Hello Chris

        Hope you don't mind me jumping on this thread, going to look at this myself but also am finding we aren't always alerted to when a PUA or Virus is found.  Wondering if you have found a way to monitor via Event IDs into your RMM too? Think this would be useful as well as the updating flag.

        Thanks

        Terry

        • 0 in reply to acs

          I need to open a ticket with NinjaOne to figure out why the script isn't triggering a reboot flag.  The script runs successfully, but I must be missing something else.

          I don't know the Event ID's off the top of my head, but try to trigger an Unauthorized Application and it should show right away in Event Viewer.  Depending on your RMM you might be able to query via an API with it (I haven't gotten that far yet).

          • 0 in reply to Chris Conlan

            Hi Chris, our RMM is picking up Event ID 42 and then flagging this as an alert so this is working from this point of view.

        Unfiltered HTML